This document discusses content protection for web distribution. It introduces MPEG CENC (Common Encryption) as a standard that abstracts encryption from digital rights management (DRM) systems. This allows different DRMs to work with the same encrypted files. It also discusses HTML5 EME (Encrypted Media Extensions), which abstracts key management from browsers by providing a JavaScript API to pass keys to a content decryption module (CDM) like Microsoft's PlayReady. The document demonstrates these technologies by summarizing how Netflix uses CENC file formats with EME and PlayReady in Microsoft Internet Explorer 11 for protected streaming of its content on the web.
6. A new standard, what for?
• Abstracting encryption from DRMs
• Allows DRMs to share:
– keys, key identifiers, encryption algorithm, parameters and
signaling
– location to store proprietary data
• Protection System Specific Header (PSSH ISOBMF box)
– leaves DRM implementation to individual systems
• Prior to this standard:
– different set of files required for each different DRM type
– interchange of files between authorized devices generally not
possible because of different DRMs.
2/27/2014
Hangout Squad #2
6
7. Did you say standard?
•
•
•
•
•
•
MPEG ISO Standard 23001-1 (2012, CENC)
MPEG ISO Standard 23001-7 (2012, ISOBMF)
MPEG ISO Standard 23001-9 (2014, MPEG-TS)
Natural fit with MPEG-DASH
Base of DECE CFF (UltraViolet)
More on that later…
2/27/2014
Hangout Squad #2
7
8. Buzz word slide
• Protection System Specific Header (PSSH) in file header
–
–
–
–
Possibly several PSSH boxes = several DRMs
For all tracks or a single track
Association done via Key ID (128 bits): KID
Crypto System
• AES-CTR and AES-CBC 128 bits
• InitializationVector (IV) : 64 or 128 bits (8 or 16 bytes)
• Default key + key-roll
• Storage of cypher instructions:
– senc box (HbbTV, CFF)
– or saiz/saio boxes
2/27/2014
Hangout Squad #2
8
9. Example: AES/CTR for AVC
• Different IV for each sample
• Note: clear and encrypted data in NAL Unit
2/27/2014
Hangout Squad #2
9
12. EME
•
EME is not:
– Not a DRM
– Not an official W3C recommendation:
•
Only a Working Draft since May 2013 ------------------------>
– Not a mandatory part of HTML5
•
EME is:
– A HTML 5 Media Elements extension:
•
•
Mandatory: <audio>, <video>
Optional extensions:
–
–
–
Media Source Extensions (MSE)
Encrypted Media Extensions (EME)
Web Crypto Extensions (WebCrypto)
– Editors:
•
•
•
David Dorwin, Google, Inc.
Adrian Bateman, Microsoft Corporation
Mark Watson, Netflix, Inc.
– Jeff Jaffe, W3C (quote):
•
•
•
•
2/27/2014
APIs that would provide access to
content decryption modules (CDMs)
part of DRM systems.
W3C is not standardizing CDM technology
Hangout Squad #2
12
13. Overview
• JavaScript API
– permits a Web application to hand Key Material to
a Content Decryption Module (CDM)
Browser (Javascript)
Key Material
CDM (blackbox)
2/27/2014
Hangout Squad #2
13
14. CDM
• Nature of the Key Material unspecified.
– i.e. “Key Material” is not simply a key
– Likely encrypted
• Not accessible in the browser
• Large scope
– Decoder or not
– No codec/container specified (H264/VP8, ISOBMF/WebM, *can* use CENC)
– Deployed with the browser or within the OS or the hardware (ARM trusted
zone…)
• The EME draft defines one very simple CDM
– Clear Key
– Not realistic because Key Material is accessible to the Web application and the
browser
– permits the HTML WG to demonstrate interoperability of the API
2/27/2014
Hangout Squad #2
14
17. But EME still unsufficient
•
CDMi by Microsoft:
http://download.microsoft.com/download/E/A/4/EA470677-6C3C-4AFE-8A86A196ADFD0F78/Content%20Decryption%20Module%20Interface%20Specificatio
n.pdf
2/27/2014
Hangout Squad #2
17
18. Controversy
•
Not the role of W3C?
•
CDM = black box
– Return of our beloved: Flash, Silverlight, NaCl, …
– DMCA forbids inspection of DRMs
– Platform independence
•
EME not self-sufficient (CDMi)
•
Privacy:
– not only ask a server for a key, but also allow the CDM to transmit back a session id
– control who views what when with which software
– PKI (revocable certificates)
•
“Watermarking is better than DRM”
– OTOY/ORBX.js: https://brendaneich.com/2013/05/today-i-saw-the-future/
2/27/2014
Hangout Squad #2
18
19. Deployment
• Internet Explorer 11 + Windows 8.1
– Microsoft announces to leverage EME (and DASH
through MSE) for PlayReady:
• http://www.microsoft.com/playready/features/ClientO
ptions.aspx
• Google Chrome (multi-platform): Widevine
– Chrome OS
2/27/2014
Hangout Squad #2
19